Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Winamp 5.8 Media Player Released in All Its Nostalgic Glory

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

possible rootkit

Started by sHuFLy , Sep 01 2009 01:37 PM

Please log in to reply

21 replies to this topic

#1 sHuFLy

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 01 September 2009 - 01:37 PM

Hey all!
I'm working on my boss' home computer that has picked up some nasty bug. Many of the symptoms are the same as recent posts: google redirect, fake virus popups, disabled task manager, not able to run virus scans...
This is a Windows XP with McAfee virus protection. I was able to run a scan with McAfee a couple days ago and deleted what it found. The popups are gone, but still getting redirect.
Boss has some really important files he doesn't want to lose... Please help!
DDS log and Ark to follow per instructions, also ran rootrepeal... will post when instructed.
sHuFLy

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 10:38:39.65 on Wed 08/19/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.503.186 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realone player\rpbrowserrecordplugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\1940576\program\BackWeb-1940576.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-10 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-22 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-7-22 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-22 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-10 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-10 40488]
S2 mrtRate;mrtRate; [x]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-10 33832]

=============== Created Last 30 ================

==================== Find3M ====================

2009-07-31 10:29 1,385,744 a------- c:\windows\system32\msvbvm60.dll
2009-04-15 20:36 71,888 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:40:10.75 ===============

Attached Files

ark.txt 3.1KB 9 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 etavares

Bleepin' Remover

Malware Response Team
15,514 posts
OFFLINE

Gender:Male
Local time:05:33 PM

Posted 16 September 2009 - 06:15 PM

DELETED: crossed posts with ken545. ken545, this is your thread.

Edited by etavares, 16 September 2009 - 06:21 PM.

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Unified Network of Instructors and Trusted Eliminators

#3 ken545

Malware Response Team

Malware Response Team
1,685 posts
OFFLINE

Gender:Male
Location:The Space Coast of Florida
Local time:05:33 PM

Posted 16 September 2009 - 06:17 PM

Hello sHuFLy

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

You have a nasty Rootkit infection, lets do this.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Edited by ken545, 19 September 2009 - 08:27 PM.

Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

Please consider a donation to help me keep up my fight against malware.

Just a reminder that threads will be closed if no response in 3 days

#4 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 18 September 2009 - 06:29 PM

Thank you so much for the help.

I will download CF and post log ASAP. Just wanted to make a quick post to let you know we still need your assistance.

Thanks again, log coming soon.

Shufly

#5 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 19 September 2009 - 12:51 PM

Thanks for sticking with me..

CF noted a few files to write down:

C:\WINDOWS\system32\drivers\kbiwkmgsnvmetq.sys
C:\WINDOWS\system32\kbiwkmltoieaqb.dll
C:\WINDOWS\system32\kbiwkmwulbqlrs.dat
C:\WINDOWS\system32\kbiwkmjtkmoygy.dll
C:\WINDOWS\system32\kbiwkmtjxjdsvx.dat

Here are the logs
Shufly

ComboFix 09-09-18.02 - Owner 09/06/2009 10:38.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.503.205 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Starware406
c:\documents and settings\All Users\Application Data\Starware406\buttons\1270_button_1b_def.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\1271_button_1b_def.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\1271_button_1b_over.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\Button_50.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\Button_60.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\Button_70.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware406\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware406\buttons\logo.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\logoxp.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\WeatherHot.bmp
c:\documents and settings\All Users\Application Data\Starware406\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware406\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware406\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware406\contexts\Related.xml
c:\documents and settings\All Users\Application Data\Starware406\contexts\Travel.xml
c:\documents and settings\All Users\Application Data\Starware406\images\walertXP.bmp
c:\documents and settings\All Users\Application Data\Starware406\SimpleUpdate\ProductMessagingConfig.xml
c:\documents and settings\All Users\Application Data\Starware406\SimpleUpdate\ProductMessagingConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware406\SimpleUpdate\SimpleUpdateConfig.xml
c:\documents and settings\All Users\Application Data\Starware406\SimpleUpdate\SimpleUpdateConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware406\SimpleUpdate\TimerManagerConfig.xml
c:\documents and settings\All Users\Application Data\Starware406\SimpleUpdate\TimerManagerConfig.xml.backup
c:\documents and settings\Owner\Application Data\Starware406
c:\documents and settings\Owner\Application Data\Starware406\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Owner\Application Data\Starware406\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Button_5\Button_5Options.xml
c:\documents and settings\Owner\Application Data\Starware406\Button_5\Button_5Options.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Button_6\Button_6Options.xml
c:\documents and settings\Owner\Application Data\Starware406\Button_6\Button_6Options.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Button_7\Button_7Options.xml
c:\documents and settings\Owner\Application Data\Starware406\Button_7\Button_7Options.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Casual_Games_News\Casual_Games_NewsOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\Casual_Games_News\Casual_Games_NewsOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Configurator\Configurator.xml
c:\documents and settings\Owner\Application Data\Starware406\Configurator\Configurator.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Layouts\ToolbarLayout.xml
c:\documents and settings\Owner\Application Data\Starware406\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Manager\ManagerOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\Manager\ManagerOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Play_Games\Play_GamesOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\Play_Games\Play_GamesOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Toolbar\TBProductsOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\Owner\Application Data\Starware406\Weather\AlertArchive.xml
c:\documents and settings\Owner\Application Data\Starware406\Weather\WeatherOptions.xml
c:\documents and settings\Owner\Application Data\Starware406\Weather\WeatherOptions.xml.backup
c:\program files\Starware406
c:\program files\Starware406\icons\star_16.ico
c:\program files\Starware406\Starware406Config.xml
c:\program files\Starware406\Starware406Uninstall.exe
c:\recycler\S-1-5-21-1403980995-2275803279-3484923586-1003
c:\recycler\S-1-5-21-4035973818-1636916862-1361887999-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\2282d20.msp
c:\windows\Installer\2282d35.msp
c:\windows\Installer\2282d3c.msi
c:\windows\Installer\2282d4f.msp
c:\windows\Installer\2282d63.msp
c:\windows\Installer\244050.msi
c:\windows\Installer\28e5f.msi
c:\windows\Installer\29471.msi
c:\windows\Installer\2948c.msi
c:\windows\Installer\29492.msi
c:\windows\Installer\2a5a6.msp
c:\windows\Installer\3667e.msp
c:\windows\Installer\36699.msp
c:\windows\Installer\366e2.msp
c:\windows\Installer\366f5.msp
c:\windows\Installer\36709.msp
c:\windows\Installer\3671f.msp
c:\windows\Installer\36732.msp
c:\windows\Installer\36746.msp
c:\windows\Installer\3676c.msp
c:\windows\Installer\36780.msp
c:\windows\Installer\36796.msp
c:\windows\Installer\367ab.msp
c:\windows\Installer\367bf.msp
c:\windows\Installer\367d4.msp
c:\windows\Installer\388b2.msp
c:\windows\Installer\44769.msi
c:\windows\Installer\5cd7d7.msi
c:\windows\Installer\9151ed.msi
c:\windows\Installer\be1af.msi
c:\windows\Installer\fa1487.msi
c:\windows\system32\drivers\kbiwkmgsnvmetq.sys
c:\windows\system32\kbiwkmjtkmoygy.dll
c:\windows\system32\kbiwkmltoieaqb.dll
c:\windows\system32\kbiwkmtjxjdsvx.dat
c:\windows\system32\kbiwkmwulbqlrs.dat
c:\windows\system32\ps2.bat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmqubrxlvn
-------\Legacy_kbiwkmqubrxlvn

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-08-18 21:39 . 2008-10-16 21:13 202776 ----a-w- c:\windows\system32\wuweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 16:44 . 2008-08-19 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-28 21:42 . 2006-03-14 02:59 -------- d-----w- c:\program files\Trend Micro
2009-08-28 21:04 . 2009-08-28 21:04 10752 ----a-w- c:\windows\DCEBoot.exe
2009-08-26 16:23 . 2009-08-26 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-08-26 16:23 . 2009-08-26 16:23 -------- d-----w- c:\program files\RegCure
2009-08-20 23:05 . 2007-02-16 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-07-31 17:29 . 2004-06-09 13:02 1385744 ----a-w- c:\windows\system32\msvbvm60.dll
.

------- Sigcheck -------

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\$NtServicePackUninstall$\mspmsnsv.dll
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

c:\windows\system32\wscntfy.exe ... is missing !!
c:\windows\system32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-16 185896]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-05-13 32881]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-19 98304]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-05-03 67584]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-05-03 2533888]
"Alcmtr"="ALCMTR.EXE" - c:\windows\ALCMTR.EXE [2004-04-27 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"GEARSecurity"=2 (0x2)

S2 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 02:54]

2008-01-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-22 20:32]

2008-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-22 20:32]

2009-09-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-09-06 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-26 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GPEZK92R\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 10:46
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(608)
c:\windows\System32\dssenh.dll
.
Completion time: 2009-09-06 10:50
ComboFix-quarantined-files.txt 2009-09-06 17:50

Pre-Run: 140,518,387,712 bytes free
Post-Run: 140,731,723,776 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

230 --- E O F --- 2009-08-23 14:54

--------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:38 AM, on 9/6/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 4723 bytes

Edited by sHuFLy, 19 September 2009 - 12:55 PM.

#6 ken545

Malware Response Team

Malware Response Team
1,685 posts
OFFLINE

Gender:Male
Location:The Space Coast of Florida
Local time:05:33 PM

Posted 19 September 2009 - 01:44 PM

Hi,

Looks like that nasty Rootkit is gone

Your pretty lucky as this rootkits latest variant is much harder to remove. A few more things to do.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Fcopy::

Fcopy::
c:\windows\ServicePackFiles\i386\wscntfy.exe | c:\windows\system32\wscntfy.exe 
c:\windows\ServicePackFiles\i386\xmlprov.dll | c:\windows\system32\xmlprov.dll

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

Post the new Combofix log and the Malwarebytes log along with a new HJT log please

Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

Please consider a donation to help me keep up my fight against malware.

Just a reminder that threads will be closed if no response in 3 days

#7 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 19 September 2009 - 02:46 PM

OK.. Did everything as instructed but had to remove McAfee as it was interfering with CF even though I had disabled everything.
Here are the logs:

ComboFix 09-09-18.02 - Owner 09/06/2009 12:25.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.503.333 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\wscntfy.exe --> c:\windows\system32\wscntfy.exe
c:\windows\ServicePackFiles\i386\xmlprov.dll --> c:\windows\system32\xmlprov.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 19:25 . 2004-08-04 07:56 13824 ----a-w- c:\windows\system32\wscntfy.exe
2009-09-06 19:25 . 2004-08-04 07:56 129536 ----a-w- c:\windows\system32\xmlprov.dll
2009-09-06 19:20 . 2009-09-06 19:20 -------- d-----w- c:\windows\LastGood
2009-09-06 19:05 . 2009-09-06 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-06 19:05 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 19:05 . 2009-09-10 21:53 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 19:05 . 2009-09-06 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 19:05 . 2009-09-06 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 18:58 . 2001-08-17 20:48 13952 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-09-06 18:58 . 2001-08-17 20:48 13952 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-09-06 18:57 . 2002-08-29 08:32 28160 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-09-06 18:57 . 2002-08-29 08:32 28160 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-28 21:04 . 2009-08-28 21:04 10752 ----a-w- c:\windows\DCEBoot.exe
2009-08-28 20:59 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-26 16:57 . 2009-08-26 16:57 -------- d-----w- c:\windows\McAfee.com
2009-08-26 16:23 . 2009-08-26 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-08-26 16:23 . 2009-08-26 16:23 -------- d-----w- c:\program files\RegCure
2009-08-18 21:39 . 2008-10-16 21:13 202776 ----a-w- c:\windows\system32\wuweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 19:20 . 2008-01-10 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-06 19:20 . 2008-05-22 23:55 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2009-09-06 16:44 . 2008-08-19 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-28 21:42 . 2006-03-14 02:59 -------- d-----w- c:\program files\Trend Micro
2009-08-20 23:05 . 2007-02-16 21:35 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-07-31 17:29 . 2004-06-09 13:02 1385744 ----a-w- c:\windows\system32\msvbvm60.dll
.

------- Sigcheck -------

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\$NtServicePackUninstall$\mspmsnsv.dll
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-06_17.46.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-06 19:20 . 2003-08-16 02:07 17408 c:\windows\LastGood\System32\psapi.dll
+ 2009-09-06 19:20 . 2006-03-03 15:07 143360 c:\windows\LastGood\System32\dunzip32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-16 185896]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-05-13 32881]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-07-19 98304]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-05-03 67584]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-05-03 2533888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2004-6-9 375808]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"GEARSecurity"=2 (0x2)

S2 0219731252264836mcinstcleanup;McAfee Application Installer Cleanup (0219731252264836);c:\docume~1\Owner\LOCALS~1\Temp\021973~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Owner\LOCALS~1\Temp\021973~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk
*Deregistered* - mfebopk
*Deregistered* - mfesmfk
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 02:54]

2009-09-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-09-06 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-26 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 12:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(612)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(184)
c:\windows\System32\msctfime.ime
c:\windows\System32\msi.dll
.
Completion time: 2009-09-06 12:30
ComboFix-quarantined-files.txt 2009-09-06 19:30
ComboFix2.txt 2009-09-06 17:50

Pre-Run: 140,709,167,104 bytes free
Post-Run: 140,689,149,952 bytes free

140 --- E O F --- 2009-08-23 14:54

--------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2825
Windows 5.1.2600 Service Pack 1

9/6/2009 12:45:13 PM
mbam-log-2009-09-06 (12-45-13).txt

Scan type: Quick Scan
Objects scanned: 101197
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe (Trojan.Agent) -> Delete on reboot.

--------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:12 PM, on 9/6/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: McAfee Application Installer Cleanup (0219731252264836) (0219731252264836mcinstcleanup) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\021973~1.EXE (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4166 bytes

Thanks again!

#8 ken545

Malware Response Team

Malware Response Team
1,685 posts
OFFLINE

Gender:Male
Location:The Space Coast of Florida
Local time:05:33 PM

Posted 19 September 2009 - 07:23 PM

Hi,

Your logs are looking good

There is no silver bullet to keeping secure, but keeping programs up to date is essential part of the process, your Operating System, your IE Brower are very outdated and need to be updated.

Open IE and go to Tools> Windows Updates and download and install all critical updates , this will include Service Pack 3 and Internet Explorer 8.

Lets update your Java to make your system more secure

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 16 <--The wording is confusing but this is what you need

Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here

As a final check, run this free online virus scanner

Please run this free online virus scanner from ESET

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

How is your system behaving now ???

Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

Please consider a donation to help me keep up my fight against malware.

Just a reminder that threads will be closed if no response in 3 days

#9 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 19 September 2009 - 08:18 PM

Did all the updates except SP3, uninstalled old JAVA, installed new and verified. Used your link for ESET scan and it just shows some other language and no scan link. Also reinstalled McAfee - it started and ran for 15 or 20 minutes and now it says "your computer is not protected" but I cannot open the application. Has this thing re-invented itself?
sHuFLy

#10 ken545

Malware Response Team

Malware Response Team
1,685 posts
OFFLINE

Gender:Male
Location:The Space Coast of Florida
Local time:05:33 PM

Posted 19 September 2009 - 08:30 PM

You had a bad bunch of infections on this system, I am sure there gone, maybe a leftover file or two we missed.

Try this one.

Please run this free online virus scanner from Kaspersky

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Posted Image

Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

Please consider a donation to help me keep up my fight against malware.

Just a reminder that threads will be closed if no response in 3 days

#11 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 19 September 2009 - 08:33 PM

Clicked on Kaspersky Online Scanner button... nothing happens
Also, have now lost McAfee altogether - cannot modify or access. It appears to be uninstalled but Windows Security is still detecting it. Cannot run any virus scans at all and Explorer is acting up. ???

Edited by sHuFLy, 19 September 2009 - 09:50 PM.

#12 ken545

Malware Response Team

Malware Response Team
1,685 posts
OFFLINE

Gender:Male
Location:The Space Coast of Florida
Local time:05:33 PM

Posted 20 September 2009 - 02:34 AM

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

Please consider a donation to help me keep up my fight against malware.

Just a reminder that threads will be closed if no response in 3 days

#13 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 20 September 2009 - 12:33 PM

I ran Gmer scan.. log below. I should also let you know that I installed AVG Free yesterday as McAfee was rendered useless. Was able to run a scan with AVG and it came up with Win32\Rustock.Q in systemvolumeinformation\_restore I didn't have AVG do anything with it though.

Here is the Gmer log...
Shufly

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-07 10:38:50
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\awtcykow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.363_x-ww_691a48fd\MSVCR80.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1740] 0x02010000

---- EOF - GMER 1.0.15 ----

#14 ken545

Malware Response Team

Malware Response Team
1,685 posts
OFFLINE

Gender:Male
Location:The Space Coast of Florida
Local time:05:33 PM

Posted 20 September 2009 - 01:56 PM

That bad file is in your System Restore Program, part of the clean up is flushing it all out when we're done but you can do it now.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial <-- If you need it

Open IE and go to Tools> Internet Options > Advanced Tab > Reset Internet Explorer Setting > Reset ......will take a few seconds...ok your way out, close IE and then reopen it and see if your browser is working ok.

Post a new Hijackthis log please

Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

Please consider a donation to help me keep up my fight against malware.

Just a reminder that threads will be closed if no response in 3 days

#15 sHuFLy

Topic Starter

Members
12 posts
OFFLINE

Local time:02:33 PM

Posted 20 September 2009 - 02:26 PM

Cannot create a new restore point. System Restore will not come up (just a blank screen) even tried %systemroot%\system32\restore\rstrui.exe at cmd prompt - still a blank screen. Also noticed that the system clock and calendar have been changed (current date says Monday, September 7, 2009. IE still acting funny after reset.. for instance, the icon for this website is showing as McAfee's icon. ???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:23 PM, on 9/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\WINDOWS\system32\cmd.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealOne Player\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (file missing)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)

--
End of file - 6465 bytes

Edited by sHuFLy, 20 September 2009 - 02:34 PM.